Хроніки українського пентестера.

Security Hole is security event hosted in Lviv by OWASP and SoftServe.This event is a meeting place for all researchers, experts, developers, QA engineers and managers who is interested in avoiding security defects in their software. We teach and share our knowladge based on real projects and case studies.

They say, with
great power comes great responsibility. Judging from today’s all-consuming
passion for wearables and their seemingly endless functionalities, this rule
should be applied – first and foremost – with regard to wearables security. Unfortunately, you are not the only
one to take advantage of the data collected by the smart devices. To combat
attackers’ activity, it is important to know that wearables risk zone covers
three components:

1.Wearable
device itself

2.Device
you transmit data to (e.g., smartphone)

3.Cloud

So what are the top wearables
security risks and what may be the result of careless behavior with data?

Invading Privacy: Targeted
Advertising

Have you ever had a feeling you are
being watched after that last Hunkemöller collection ad popped out in sidebars
on Facebook, or after EasyJet sent you a special offer to Mallorca? Apparently
today, marketing specialists inspect their target audience by the principle
Sting was singing about: every step you take, every click you make – they’ll be
watching you. Customization as a trend is harmless itself, but at some point
stalking your web-activity may result into unhealthy invading of privacy or
usage of the data collected against you.

Spying, Robbing, Housebreaking

Checking in via
Foursquare may be more dangerous than you think and poses serious wearables
risk. For burglars and robbers, your location may serve as a green light to
break into your house. A perfect example is a recent viral
Internet-story about Keri McCullen who shared her excitement
about going to a concert and came back home only to find out she was robbed.

Blackmail

The recent iCloud
nude photo leaks scandal proved that private information may be
a weapon for blackmailing or public deprivation. Attackers do not necessarily
need your photos – due to self-tracking, anything you post or do may be used
against you.

Health Damages

Barnaby
Jack's experiment shown that through attacking healthcare
devices, such as pacemakers and insulin pumps, it is possible to increase the
voltage of the pacemaker or tenfold the insulin doze and kill a person.

Ten Easy Steps to Mitigate Wearables
Security Risks

No panic: treating your wearable and
the data it tracks with due attention and care, you may easily mitigate
potential threats. Here are some basic preventive steps to enforce your
wearable security:

понеділок, 11 серпня 2014 р.

In today’s technology environment, the issue is no longer if
your business is vulnerable to cyber security threats or may someday be
attacked; the issue is ‘When?’ and, ‘Will you be prepared?’ The widespread use
of cloud computing, SaaS and smart devices leave businesses of all types and scales
more vulnerable than ever to attacks on their information systems. A company's
financial security, intellectual property and level of trust are at risk.
Everything can be lost as the result of a successful attack.

Security can’t be an afterthought or adjunct task in the
software development process. The legitimacy of the threat necessitates the
need to tightly integrate security into the software development lifecycle
(SDLC). Identifying security issues at the end of a development is too late.

When you incorporate security into your SDLC, you create
applications that are secure by design, not by chance or circumstance.

In particular, security in continuous integration (CI)
environments can be challenging. The goal of CI is to provide rapid feedback on
disparate code changes, allowing developers to correct errors as soon as
possible by identifying functional defects introduced into the larger code
base. In this environment, integrated security testing is needed to provide
developers a real-time threat assessment of all changes they’ve made,
regardless of their operational success in the larger code base. Without
integrated security testing, there’s a risk of re-engineering solutions
multiple times to address security threats detected long after functional
solutions are accepted. That wastes valuable time, money, energy and effort.

Following are three pillars to build security into a
continuous integration development environment, creating applications capable
of standing up to any security threat:

1. Leverage
Interactive Application Security Testing (IAST)

IAST combines into a single solution the techniques and
benefits of static and dynamic application security testing, increasing the overall
accuracy of testing by running continuous, automated malicious traffic against
applications under development, while monitoring the applications in runtime.
IAST monitors information from inside the application under test, including
runtime requests, data and control flows, libraries and connections to create a
comprehensive testing environment simulating real-world attacks. This includes
context awareness, allowing organizations to prioritize different risk threats,
as opposed to prioritizing differing vulnerabilities without the ability to
assess their impact on data in the event of an attack.

IAST is the future of security testing and should me a
mainstay of SDLC environments.

2. Choose the Right
Tool for the Job

There are a variety of tools available in the marketplace
capable of providing utility in an integrated security SDLC environment. As
with all choices, some solutions may prove inadequate or an overkill to the task
at hand. A good motto to follow when evaluating testing environments is, “Just because you can, doesn’t mean you should.”
In other words, security testing requires the right tool for the job at hand,
not any tool that can serve a level of purpose.

The right tools are needed to create the level of testing
required to assure security of the application under development. This isn’t an
area you want to skimp on or misalign.

3. Involve Your
Security Analyst

Although security is everyone’s responsibility, it’s wise to
have someone responsible to continuously oversee all security testing efforts.
Security analysts should be used to verify and coordinate all test results,
investigate suspicions of false positives and negatives, explain security
defects to developers and educate quality assurance staff on ways to detect
business logic defects.

Having a security analyst on your team throughout the SDLC
process raises the importance of application security and provides a voice on
the team that won’t compromise security for operational or functional
abilities. As security shouldn’t be an afterthought in development, it
shouldn’t be an afterthought in responsibility.

Conclusion

Cyber attacks are a real and growing threat to business and individuals
that we need to prepare to quickly detect and thwart. One of the best defenses
against a cyber attack is to develop applications within an integrated security
environment. In this environment, security is part of the software development
process, as opposed to a parallel or after-action activity.

A big part of preparedness is selecting the right
methodology. IAST is the latest approach to application security testing that
provides continuous, real-time feedback on simulated cyber attacks. This is
especially valuable in CI environments where disparate code changes are rapidly
introduced for testing within a larger code set.

Beyond the testing environment, the tools and testing
configurations you employ need to match your unique situation. While more than
one testing solution may provide a level of functionality, security is too
important an issue to use anything less than ideal support systems.

Last, but not least, security analysts should be an integral
part of your development team. Their uncompromising voice for security
underscores their importance in the development process and keeps security a
top priority within your team.

The safe assumption is that your business will be under
attack at some point in the future and catastrophic financial, intellectual
property and customer losses may be the result of not being properly prepared.
The issue developers need to address is how well they are prepared to withstand
an attack, and that begins with measures taken in the software development
process.

Where to train your QA engineers in
Security for FREE?

With rapid increase of web applications in the
internet the question about their security becomes more and more critical. It
is difficult to learn and practice Web application security. Not everyone who
is dealing with security testing has environment with web applications like
online computer store or online banks that can be used to scan for
vulnerabilities. Additionally, security professionals has the need to test
tools against environment with known vulnerabilities to ensure that they are
working properly. All this activities have to be done on legal environment
without breaking the law. And this is one of the main stoppers in training
process.

Security communities in all over the world took this
facts into account and prepared a lot of great stuff, online environments,
vulnerable applications that can run locally to learn and practice Web
application security.

Security Compass prepared free online course based on
TOP 10 Web application vulnerabilities for 2013 year according to Open Web
Application Security Project (OWASP). This course is available on their web site. The easiest step-by-step guideline for students is
available on Computer
Security Student website.

OWASP Mutillidae II Project provides free, open
source, deliberately vulnerable web-application providing a target for
web-security enthusiast. It has several tasks on each vulnerability from OWASP
TOP 10 list. Currently the 2.0.7 version of Mutillidae is available.

OWASP WebGoat project prepared by OWASP Community was designed to
teach web application security lessons. It is easy to run and practice.
Students are able to login application with different accounts, get description
on each lesson and if needed obtain lessons solutions. The difference with
previous project is that it contains lessons dedicated not only to break
security but also to fix vulnerabilities providing secure code.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web
application that is damn vulnerable. This project is very similar to Mutillidae
as here you have no concrete tasks to solve but you have scripts with common
vulnerabilities:

A Codelab by Bruce Leban, Mugdha Bendre, and Parisa
Tabriz Web Application Exploits and Defenses
provides platform that can be accessed online or installed locally. Here are
tasks for both black box and white-box testing. This codelab shows how to
exploit existing web application vulnerabilities and how to defend against
these attacks.

OWASP prepared The Broken Web Applications (BWA)
Project that produces a Virtual Machine running a variety of applications. Some
of them were described earlier:

Capture The Flag (CTF) security competitions probably
are the most interesting for security specialists. Tasks are available online
and don’t need additional software. And there is clear goal – get the flag. One
of the projects is Hack This Site with set of challenges. Another CTF project from
Enigma Group also has set of missions that are available here. Here security specialists and enthusiasts can try
their skills competing with other teams.

These resources are available for free and cover a lot
of fundamental aspects that security testers need. Of course, that is not full
list of resources for practicing Web application security but it is more than
enough to full your time with interesting activity.

вівторок, 27 травня 2014 р.

Website Security Risks

In my experience as a Security Consultant, I`ve
witnessed numerous cases when lack of proper web server support and maintenance
resulted in a company`s website being hacked and exploited by attackers. Unfortunately,
it is not a rare case when businesses invest into website development only or store
all their websites (as well as mail servers) on a single dedicated machine
without an established and safe backup process. Additionally, if a company
lacks a comprehensive security strategy and prefers to overlook a well-known
security principle of “better safe than
sorry”, a website administrator may not be ready for real-time attacks,
which might result in website being down and sensitive data compromised.

Sure, skimping on server and website
maintenance, regular security check-ups and trainings will save you money in
the short run. However, in the long run it`ll save you more if you invest into
a secure server hosting provider and proper software architecture instead.

A simple truth is, it doesn`t matter which
framework you selected for website development a couple of years ago – Joomla,
Wordpress, ASP .NET or Java. As the time flows, they all need to be patched for
discovered vulnerabilities and require regular security check-ups. The
frameworks provide a fast and cheap way to create great websites, so businesses
(even the large brands such as Barnes & Noble, Citibank or Peugeot) continue using them despite of the security
risks presented by possible vulnerabilities, but what`s important – they should
specifically focus (and many large brands do) on proper website security and
maintenance.

Secure Software
Development: Levels of Responsibility

Owning an internet website is similar to owning
a car – you pay to get it work smoothly, ride fast, look impressive and help
you earn money. Just like with a car, you need to properly maintain your website:

In a company, website security starts with a
developer, who should write a secure code. Then, a Quality Assurance expert
tests the code for bugs and possible vulnerabilities. Next, a DevOps expert`s
task is to automate build processes, patch application and server
software, monitor performance and log files. At the next stage, a Security expert should review the results with
security in mind. Then, there is a CIO.

Any mid-size or large company would have a
person responsible for IT, who`s typically known as the CIO (Chief Information
Officer). At times, this role could be combined with the CTO and even the CEO.
Anyway, this person is responsible for decisions on IT support and website
operations, as well as for preventing website security breaches as it is the IT
staff that should support the company`s servers. A part of this process is
designing backups and recovery plans for after-the-incident cases. Continuing
with the car analogy, it’s similar to ensuring your backup wheel is functional
in case of emergency.

When your IT engineers (or your software
development vendor) develop software, your CTO/CIO should define where to
deploy it (on separate servers on Amazon or special containers vs. all sites in
single server) and how it should operate and be protected. Otherwise, your
should ask your internal (or vendor`s) security consultants to design and
implement a proper security strategy.

Six Simple Tips to
Ensure Website Security:

1.Educate your organization. Tell your employees that Security experts need to ensure that application
is secure in code and design. Explain that DevOps experts are needed to
implement monitoring and patch management as well as secure support of your
server and software. Security often goes hand in hand with DevOps, Architecture
assessment and Business analysis – and vice versa.

2.Don’t put all eggs in one basket. Do not store all websites on a single server.
It is architecturally wrong and could negatively affect websites performance.

3.Patch your web apps and web server. Regardless of what framework you use, it`s
important to remember that none is a safe haven for your website. All of them
have some vulnerabilities, which will have to be addressed.

4.Engage DevOps and/or security service provider. Your websites need regular check-upsfor the code and server security review
& assessment. If you don`t have such experts internally, address security
vendors and ask them to help you establish a comprehensive security strategy
and develop a plan for regular security check-ups.

5.If you`re outsourcing your website development, make sure that security
is part of the deal.
Discuss the security maintenance and check-up possibilities with your vendor.
For long-term strategic partnerships, you might want to consider a shared
responsibility model.

6.The greedy pay twice. Don’t skimp and don`t cut corners on
security, especially so if you`re responsible for protecting sensitive data of
your website users. Security is a significant part of quality service and
customer satisfaction.

вівторок, 8 квітня 2014 р.

Today all
enterprise security systems are client-server based and managed from central
location. All cloud instances with security agent (Symantec, Forefront,
Kaspersky) installed inside OS could be deactivated by qualified attacker. This
leave cloud instance unmanaged and without any acting protection. Imagine
situation if 100500 Amazon Windows instances (or all Azure instances with open
3389 port) will be affected by virus through 0-day RDP vulnerability. Should
you stop all these instances for maintenance and to stop infection? Who will
responsible to manage process of clean up all these OSs? Is it possible to
centrally stop this infection in my cloud? We will uncover how Virtual Machine
Introspection (VMI) can help to stop new threats and change cloud security management
approach.

Today Clouds are
mostly built based on different types of virtualization. Security of applications
benefit from virtualization by running in isolated virtual machines (VMs) and
building smaller trusted computing bases (TCBs).

But how else virtualization
is used today to enhance security? Virtual machine Introspection - open new horizons
for private and public cloud security that soon will totally change
understanding of managing software in the cloud.

Main problem of all
modern security management and monitoring system is - Stealthy and Tamper
resistance. The problem of Agent based monitoring and protection is that all
this agents could be detected by user/malefactor and be subverted, and/or
disabled by the attacker.

By contrast,
hypervisor-based security resides outside the guest-VM, and is thus
tamper-proof to any malware infections inside a VM.

VMI provide
following benefits from security perspective:

1. Central
processing of security functions is more efficient than distributing security
controls and related overhead to each VM

2. No host
agents required –guaranteeing security for all VMs regardless of operating
system type and patch level, and with no impact to applications running inside
the VMs.

3. Tamper-proof
security. Host-agents are subject to getting compromised by the very malware
they aim to thwart (e.g., Conficker turning off A/V).

VMI - is like X-ray
view of all VM states in you private Cloud, including installed applications, operating
systems, and patch levels. Could be used for Detection, Protection and Management,
compliance and automated security enforcement. VMI use the capabilities of hypervisor
to supervise VM behavior.

Virtual Machine
Introspection (VMI) can be positioned as out of the box VM management that
allows to apply the monitoring of all hosted virtual machines, has many
applications in areas such as security and systems.

From Cloud
provider prospective let’s use following terms against host server and guest OS
(cloud instance):

Inspection– host
server virtualization system (VMM) can examine entire state of the guest system
(memory, devices, storage, executed commands etc)

Interposition–VMM
can interrupt guest code at any time (stop loading malicious payload and stop loading
virus body into the memory)

This approach of
controlling virtual operating systems also can be used to protect the operating
system on hypervisor level, which is the newest approach in designing systems
to protect information in enterprise systems.